RE: ftp/sftp user account lockout threshold
- From: "Johan Booysen" <johan@xxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Jul 2007 16:20:12 +0100
Bill,
Thanks very much for your reply.
I've also come across this explanation on the Internet:
http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci121357
0,00.html
Firstly, something I don't quite understand is where on that page the
author says:
"The no_magic_root option ensures that accounts with a UID of 0 are
tallied. You can change this option to magic_root to reverse this
behaviour."
Does this mean that the root account will potentially be locked out?
Surely not, but I don't understand what the no_magic_root/magic_root
would then do.
Also, the author says:
The last option, per_user, allows you to exclude accounts from locking
if the accounts have a maximum login failure set explicitly. This
exclusion of accounts allows you to specify some accounts that won't be
locked and thus prevent them being the target of a potential Denial of
Service attack. I recommend you exclude any accounts whose disablement
will cause availability issues for applications or databases, for
example the user account that runs a database process. Account exclusion
are specified using the faillog command:
# faillog -u mysql -m -1
What are your views on doing this for all service accounts?
Thanks again.
Johan
-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx
[mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Bill Tangren
Sent: 24 July 2007 15:26
To: General Red Hat Linux discussion list
Subject: Re: ftp/sftp user account lockout threshold
Johan Booysen wrote:
Hi,
Thanks for your reply.
I find using pam modules a bit confusing at the moment. Does anyone
know of a good example on how to use pam_tally in this way?
Thanks.
Johan
Add these lines to /etc/pam.d/system-auth
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root
reset
Next, make a faillog:
# touch /var/log/faillog
Also, make sure /etc/pam.d/xscreensaver does not call system-auth, or
you will not be able to unlock your screensaver. This is because
xscreensaver doesn't have the rights to write to the faillog. I copied
the contents of system-auth and put it in xscreensaver, and then I
removed the pam_tally lines. Overkill probably, but it works for me.
-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx
[mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Bill Tangren
Sent: 23 July 2007 16:09
To: General Red Hat Linux discussion list
Subject: Re: ftp/sftp user account lockout threshold
Johan Booysen wrote:
Dear all,
Does anyone know if it's possible to set up a vsftpd and/or sftp
server so that (for example) after 3 unsuccessful logon attempts, a
user's account is locked out or disabled?
I've done a bit of quick googling on this issue, but have come up
empty so far.
Thanks very much.
Johan
pam can use pam_tally to do this.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
- Follow-Ups:
- Re: ftp/sftp user account lockout threshold
- From: Bill Tangren
- Re: ftp/sftp user account lockout threshold
- Prev by Date: Re: ftp/sftp user account lockout threshold
- Next by Date: Re: ftp/sftp user account lockout threshold
- Previous by thread: Re: ftp/sftp user account lockout threshold
- Next by thread: Re: ftp/sftp user account lockout threshold
- Index(es):
Relevant Pages
|
